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About this Book and the Library 


The Identity Manager - Configuring Auditing in Identity Manager Guide provides the information 
necessary to set up Identity Manager components for auditing events. You can then integrate NetIQ 
Sentinel with Identity Manager to provide auditing and reporting services. 


Intended Audience 


This book provides information for individuals responsible for understanding administration concepts 
and implementing a secure, distributed administration model. 


Other Information in the Library 


For more information about the library for Identity Manager, see the Identity Manager documentation 
website. 
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About this Book and the Library 


About NetIQ Corporation 


We are a global, enterprise software company, with a focus on the three persistent challenges in your 


environment: Change, complexity and risk—and how we can help you control them. 


Our Viewpoint 


Adapting to change and managing complexity and risk are nothing new 


In fact, of all the challenges you face, these are perhaps the most prominent variables that deny 
you the control you need to securely measure, monitor, and manage your physical, virtual, and 


cloud computing environments. 


Enabling critical business services, better and faster 


We believe that providing as much control as possible to IT organizations is the only way to 
enable timelier and cost effective delivery of services. Persistent pressures like change and 
complexity will only continue to increase as organizations continue to change and the 
technologies needed to manage them become inherently more complex. 


Our Philosophy 


Selling intelligent solutions, not just software 


In order to provide reliable control, we first make sure we understand the real-world scenarios in 


which IT organizations like yours operate — day in and day out. That's the only way we can 


develop practical, intelligent IT solutions that successfully yield proven, measurable results. And 


that's so much more rewarding than simply selling software. 


Driving your success is our passion 


We place your success at the heart of how we do business. From product inception to 


deployment, we understand that you need IT solutions that work well and integrate seamlessly 
with your existing investments; you need ongoing support and training post-deployment; and you 
need someone that is truly easy to work with — for a change. Ultimately, when you succeed, we 


all succeed. 


Our Solutions 


¢ Identity & Access Governance 

+ Access Management 

¢ Security Management 

¢ Systems & Application Management 
+ Workload Management 

¢ Service Management 
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Contacting Sales Support 


For questions about products, pricing, and capabilities, contact your local partner. If you cannot 
contact your partner, contact our Sales Support team. 


Worldwide: www.netig.com/about_netiq/officelocations.asp 
United States and Canada: 1-888-323-6768 

Email: info@netig.com 

Web Site: www.netig.com 


Contacting Technical Support 


For specific product issues, contact our Technical Support team. 


Worldwide: www.netig.com/support/contactinfo.asp 
North and South America: 1-713-418-5555 

Europe, Middle East, and Africa: +353 (0) 91-782 677 

Email: support@netig.com 

Web Site: www.netigq.com/support 


Contacting Documentation Support 


Our goal is to provide documentation that meets your needs. If you have suggestions for 
improvements, click Add Comment at the bottom of any page in the HTML versions of the 
documentation posted at www.netig.com/documentation. You can also email Documentation- 
Feedback@netiq.com. We value your input and look forward to hearing from you. 


Contacting the Online User Community 


Qmunity, the NetIQ online community, is a collaborative network connecting you to your peers and 
NetIQ experts. By providing more immediate information, useful links to helpful resources, and 
access to NetIQ experts, Qmunity helps ensure you are mastering the knowledge you need to realize 
the full potential of IT investments upon which you rely. For more information, visit http:// 
community.netiq.com. 
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1 Overview 


This guide helps you in implementing a uniform auditing across Identity Manager. 


Identity Manager Auditing Architecture 


The following diagram illustrates how different components work together to provide a uniform 
auditing infrastructure in Identity Manager. Sentinel is the preferred audit event destination for Identity 
Manager. Identity Manager provides event forwarding capabilities to Sentinel by configuring Sentinel 
Link using Sentinel Event Source Management (ESM). 


identity Sentinel 
i Control Center 


(port that you specify in the 
auditiogconfig.properties file) 
Logging Audit 
service Port 1468 Gine 
When disconnected , 
from the Sentinel Sentinel Server 
Server 


When reconnected 
to the Sentinel 
Server 


Cache 


1. An Identity Manager event occurs and it is sent to the logging services. 


2. (Conditional) If the logging services cannot connect to the Event Source Server, the events are 
stored in cache until the connection is reestablished. 


The logging services sends the events to the Sentinel Server, which stores the events in the 
audit queue. 


4. The events in the audit queue are sent to the Syslog Connector. 


The Syslog Connector sends the events to the Identity Manager Collector, which parses the 
information and then stores the parsed events in the data store. 


6. (Optional) The stored events can be used for reports. 


For a thorough discussion of the Sentinel architecture, see “Appendix A Sentinel Architecture” in the 
NetIQ Sentinel User’s Guide. 
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Configuring NetiQ Sentinel with Identity 
Manager 


Use the following checklist to verify that all of the steps are completed to install and configure Sentinel 
with Identity Manager. 


O Install and configure Sentinel. You can install Sentinel on the Identity Manager server or ona 
different server. For more information, see the NetIQ Sentinel Installation Guide. 


O Install and configure the NetIQ Sentinel Identity Manager Collector. For more information, see 
Chapter 3, “Installing and Configuring the Identity Manager Collector,” on page 13. 


O Install and configure the NetIQ Audit Connector. For more information, see Chapter 4, “Installing 
the Audit and Syslog Connectors,” on page 15. 


O Install and configure the NetIQ Syslog Connector. For more information, see Chapter 4, 
“Installing the Audit and Syslog Connector,” on page 15. 


O Configure Identity Manager components to use Common Event Format (CEF). 


For more information, see Chapter 6, “Configuring Identity Manager Components to Log Audit 
Events in CEF Format,” on page 23. 


O (Optional) Secure the connection between Identity Manager and the Platform Agent. 
For more information, see the Chapter 7, “Securing the Logging System,” on page 27. 


O Configure the Sentinel Control Center to access the predefined reports for Identity Manager. 
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Installing and Configuring the Identity 
Manager Collector 


The Identity Manager Collector parses and normalizes the raw data passed to it by the Audit or 
Syslog Connector and converts the data into a Sentinel event. The Sentinel event can be visualized 
in the Active View, processed by the correlation engine, queried in a report, and added to an incident 
response workflow. 


The Identity Manager Collector can also parse non-event data and transform the raw scan data into a 
format understood by Sentinel. Sentinel then stores the vulnerability data in the database and 
includes it in the Exploit Detection map. For more detailed information about Sentinel collectors, see 
the Sentinel Collector Script User’s Guide. 


NOTE: After fresh installation of Sentinel with the required collectors and connectors installed and 
configured, restart Sentinel for the changes to take effect. 


Installing and Configuring the Identity Manager 
Collector 


The Identity Manager Collector must be added to the Event Source Manager to be installed. This step 
is only done once. The Identity Manager Collector is then displayed as a collector to select during 
configuration. 


To install the Identity Manager Collector, 


1 Download the latest Identity Manager Collector (.zip file) from the NetIQ Downloads website. 
2 Log in to the Sentinel Control Center. 

3 Select the Event Source Management > Live View, then select Tools > Import plugin. 

4 Browse to and select the .zip file you just downloaded, then click Next. 


5 Follow the remaining prompts, then click Finish. 


The Identity Manager Collector must be configured to work. To configure the Identity Manager 
Collector, 


In the Event Source Management live view, right-click Sentinel Server, then click Add Collector. 
Select NetIQ in the Vendor column. 


Select Identity Manager in the Name column, then click Next. 


Bh WN FP 


From the Installed Collectors column, select NetIQ_Identity-Manager_Collector_Version, then 
click Next. For example, NetIQ_Identity-Manager_2011.1r5.clz.zip. 


5 Follow the prompts and click Finish. 


The next step is to proceed to Chapter 4, “Installing the Audit and Syslog Connector,” on page 15. 
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Installing and Configuring the SSPR and OSP 
Collectors 


To install the SSPR or OSP Collector, 


1 Download the latest SSPR or OSP Collector (. zip file) from the NetIQ Plug-ins website. 


NOTE: OSP is bundled with Sentinel. Extract the .zip file and browse to contents to view the 
OSP collector. 


Log in to the Sentinel Control Center. 
Select the Event Source Management > Live View, then select Tools > Import plugin. 


Browse to and select the .zip file you just downloaded, then click Next. 
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Follow the remaining prompts, then click Finish. 
The SSPR or OSP Collector must be configured to work. To configure the SSPR or OSP Collector, 


In the Event Source Management live view, right-click Sentinel Server, then click Add Collector. 
Select NetIQ in the Vendor column. 
Select Identity Manager in the Name column, then click Next. 


A WN RF 


From the Installed Collectors column, select <Collector>_<Collector_Version>, then click Next. 


For example: SelfServicePasswordReset_<Collector_Version> or 
OneSSOProvider_<Collector_Version> 


5 Follow the prompts and click Finish. 


For SSPR, the next step is to proceed to “Installing and Configuring the Syslog Connector” on 
page 16. 


For OSP, the next step is to proceed to Chapter 4, “Installing the Audit and Syslog Connector,” on 
page 15. 
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Installing the Audit and Syslog 
Connector 


The NetIQ Audit (erstwhile Novell Audit) and Syslog Connector facilitates integration between Identity 
Manager and Sentinel. 


You must have the Identity Manager Collector installed and configured before proceeding with the 
installation and configuration of Audit and Syslog Connector. 


NOTE: After fresh installation of Sentinel with the required collectors and connectors installed and 
configured, restart Sentinel for the changes to take effect. 


Installing and Configuring the Audit Connector 


To install the Audit Connector, 
1 Download the latest Audit Connector (. zip file) from the Sentinel Plug-ins Web site to the server 
where the Sentinel Control Center is running. 
The Audit Connector is located under the Connectors tab. 
Log in to the Sentinel Control Center. 
Select Event Source Management > Live View, then select Tools > Import plugin. 


Select Import Collector Script or Connector plugin package file (.zip) option, then click Next. 
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Browse to and select the .zip file you just downloaded, then click Next. 
You must use the latest plug-ins available from the Sentinel Plug-ins Web site. 


6 Follow the remaining prompts, then click Finish. 


You need to configure the Audit Connector for it to receive messages sent from Identity Manager to 
the Platform Agent. These events are then processed by the Identity Manager Collector. 


There are multiple ways to configure the Audit Connector. The following instructions use the right- 
click menu items on the Event Source Management Graph view. 

Right-click the Identity Manager Collector, then click Add Connector. 

Select View Compatible Connection Methods Only. 


Select NetIQ Audit from the list of installed connectors, then click Next. 


Bh WN FP 


Select the Event Source server to add to the Audit Connector, then click Next. Click Add to add 
an Event Source server manually. 


The Event Source server is the server that is running the Platform Agent and Identity Manager. 


5 Use the default policy or create a custom policy to automatically add or exclude individual source 
devices, then click Next. 


For more information, see “Auto Configuring Event Sources” in the Audit Connector Guide. 
6 Finish the configuration of the connector with the following information, then click Finish. 


+ Name: Specify a name for this connector. 
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+ Run: Select whether the connector is started whenever the Collector Manager is started. 


¢ Alert if no data received in specified time period: (Optional) Select this option to send 
the No Data Alert event to Sentinel if not data is received by the connector in the specified 
time period. 


+ Limit Data Rate: (Optional) Set a maximum limit on the rate of data the connector sends to 
Sentinel. If the data rate limit is reached, Sentinel throttles back on the source in order to 
limit the flow of data. 


+ Set Filter: (Optional) Specify a filter on the raw data passing through the connector. 
+ Copy Raw Data to a File: (Optional) Save the raw data passing through this connector to a 
file for further analysis. 


Proceed to Chapter 5, “Installing and Configuring the Platform Agent,” on page 19. 


Installing and Configuring the Syslog Connector 


To install the Syslog Connector, 
1 Download the latest Syslog Connector ( . zip file) from the Sentinel Plug-ins Web site to the 
server where the Sentinel Control Center is running. 
The Syslog Connector is located under the Connectors tab. 
Log in to the Sentinel Control Center. 
Select Event Source Management > Live View, then select Tools > Import plugin. 


Select Import Collector Script or Connector plugin package file (.zip) option, then click Next. 
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Browse to and select the .zip file you just downloaded, then click Next. 
You must use the latest plug-ins available from the Sentinel Plug-ins Web site. 


6 Follow the remaining prompts, then click Finish. 
For upgrading the Syslog Connector, see the Sentinel Plug-ins Web site. 


You can configure the audit logconfig.properties file to enable the Syslog Connector to receive 
messages sent from Identity Manager. These events are then processed by the Identity Manager 
Collector. 


There are multiple ways to configure the Syslog Connector. The following instructions use the right- 
click menu items on the Event Source Management Graph view. 

1 Right-click the <Name of the Collector>, then click Add Connector. 

2 Select View Compatible Connection Methods Only. 

3 Select Syslog from the list of installed connectors, then click Next. 


4 Select the Event Source Server (UDP, TCP, or SSL), then click Next. Click Add to add an Event 
Source server manually. 


5 Finish the configuration of the connector with the following information, then click Finish. 
+ Name: Specify a name for this connector. 
+ Run: Select whether the connector is started whenever the Collector Manager is started. 


¢ Alert if no data received in specified time period: (Optional) Select this option to send 
the No Data Alert event to Sentinel if not data is received by the connector in the specified 
time period. 
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+ Limit Data Rate: (Optional) Set a maximum limit on the rate of data the connector sends to 
Sentinel. If the data rate limit is reached, Sentinel throttles back on the source in order to 


limit the flow of data. 

+ Set Filter: (Optional) Specify a filter on the raw data passing through the connector. 

+ Copy Raw Data to a File: (Optional) Save the raw data passing through this connector to a 
file for further analysis. 


For more information about enabling the Syslog Connector, see “Understanding the 
auditlogconfig.properties File” on page 51. 
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Installing and Configuring the Platform 
Agent 


The Platform Agent is the client portion of the Sentinel auditing system for Identity Manager. It 
receives logging information and system requests from Identity Manager and transmits the 
information to the NetIQ Audit Connector for NetIQ Sentinel. 


¢ “Installing the Platform Agent” on page 19 
+ “Configuring the Platform Agent Text File” on page 19 


Installing the Platform Agent 


The Platform Agent is automatically installed if NetIQ Identity Manager Identity Manager Server, 
NetIQ Identity Manager Connected System, or Fanout Agent option is selected during the Identity 
Manager installation. 


IMPORTANT: The Platform Agent must be installed on every server running Identity Manager if you 
want to log Identity Manager events. 


Configuring the Platform Agent Text File 


After you install Identity Manager, you can configure the Platform Agent. The Platform Agent's 
configuration settings are stored in a simple, text-based logevent configuration file. By default, 
logevent file is located in the following directories: 


Table 5-1 Platform Agent Configuration File 


Operating System File 

Linux /etc/logevent .conf 
Solaris /etc/logevent .conf 
Windows \windows\logevent.cfg 


The following is a sample logevent file. 
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LogHost=127.0.0.1 
LogCacheDir=c:\logcache 
LogCachePort=1288 
LogEnginePort=1289 
LogCacheUnload=no 
LogCacheSecure=yes 

LogReconnect Interval=600 
LogDebug=never 

LogSigned=always 
LogMaxBigData=3072 
LogMaxCacheSize=2GB 
LogCacheLimitAction=stop logging 
ForceServerVersionNumber=1.0.0 
LogJavaClassPath=/opt/novell/idm/rbpm/UserApplication/NAuditPA. jar 


The entries in the logevent file are not case sensitive, entries can appear in any order, empty lines 
are valid, and any line that starts with a hash (#) is commented out. 


You must add the following entry into the Logevent file to log events for the User Application: 
LogJavaClassPath=/opt/novell/idm/rbpm/UserApplication/NAuditPA. jar 


The User Application installation copies this file into the correct directory, but the entry must be 
manually added to the logevent file. 


The following table provides an explanation of each setting in the logevent file. The Platform Agent 
is used by Sentinel and Novell Audit. The documentation for the Platform Agent is in the NetIQ Audit 
Administration Guide (http:/Awww.novell.com/documentation/novellaudit20/). 


IMPORTANT: You must restart the Platform Agent any time you make a change to the configuration. 


Table 5-2 logevent Settings 


Setting Description 


LogHost=dns_name The hostname or IP address of the Event Source Server where 
the Platform Agent sends events. 


In an environment where the Platform Agent connects to multiple 
hosts—for example, to provide load balancing or system 
redundancy—separate the IP address of each server with 
commas in the LogHost entry. For example, 


LogHost=192.168.0.1,192.168.0.3,192.168.0.4 


The Platform Agent connects to the servers in the order specified. 
If the first logging server goes down, the Platform Agent tries to 
connect to the second logging server, and so on. 


LogCacheDir=path The directory where the Platform Agent stores the cached event 
information if the Event Source Server becomes unavailable. 


LogEnginePort=port The port at which the Platform Agent can connect to the Event 
Source Server. By default, this is port 1289. 
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Setting 


LogCachePort=port 


LogCacheUnload=Y|N 
LogCacheSecure=Y|N 


LogReconnectinterval=seconds 


LogDebug=Never|Always 


LogSigned=Never|Always 


LogMaxBigData=bytes 


LogMaxCacheSize=bytes 


LogCacheLimitAction=stop 
logging|drop cache 


Description 


The port at which the Platform Agent connects to the Logging 
Cache Module. By default, this is port 1288. 


If the connection between the Platform Agent and the Event 
Source Server fails, Identity Manager continues to log events to 
the local Platform Agent. The Platform Agent simply switches into 
Disconnected Cache mode; that is, it begins sending events to the 
Logging Cache module (1lcache). The Logging Cache module 
writes the events to the Disconnected Mode Cache until the 
connection is restored. 


When the connection to the Event Source Server is restored, the 
Logging Cache Module transmits the cache files to the Event 
Source Server. To protect the integrity of the data store, the Event 
Source Server validates the authentication credentials in each 
cache file before logging its events. 


Set the parameter to N to prevent lcache from being unloaded. 
Set the parameter to Y to encrypt the local cache file. 


The interval, in seconds, at which the Platform Agent and the 
Platform Agent Cache try to reconnect to the Event Source Server 
if the connection is lost. By default, this is 600. 


The Platform Agent debug setting. 


+ Set to Never to never log debug events. 


+ Set to Always to always log debug events. 
The signature setting for Platform Agent events. 


IMPORTANT: Sentinel can receive and map Audit signatures to a 
NetIQ Sentinel event field; however, Sentinel does not currently 
verify event signatures. 


+ Set to Never to never sign or chain events. 


+ Set to Always to always log events with a digital signature 
and to sequentially chain events. 


The maximum size of the event data field. The default value is 
3072 bytes. Set this value to the maximum number of bytes the 
client allows. Data that exceeds the maximum is truncated or not 
sent if the application doesn’t allow truncated events to be logged. 


The maximum size, in bytes, of the Platform Agent cache file. By 
default, the maximum size is 2 GB. If this size is not specified, the 
log cache file continues to grow till 2 GB. 


The action that you want the cache module to take when it 
reaches the maximum cache size limit. 


+ Setto stop logging if you want to stop collecting new 
events. 


+ Set to drop cache if you want to delete the cache and start 
over with any new events that are generated. 
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Setting Description 


ForceServerVersionNumber=version To instruct the Platform Agent to use a particular Secure Log 

number Server protocol version if events are logged to a log server from 
Nsure Audit version 1.0.x. The valid values are: 1.0.0, 1.0.1, 1.0.2, 
1.0.3, 1.0.3.P1, 1.0.3.P2, and so on. 


If you are using patches from Nsure Audit 1.0.3, indicate the patch 
number being used, for example, P1, P2, P3, and so on. With 
Nsure Audit 1.0.3 Patch 2, the Secure Log Server properly reports 
the protocol in use and the NetIQ Audit 2.0.x Platform Agent 
automatically uses the protocol reported by the Secure Log 
Server. 


LogJavaClassPath The location of the NAuditPA. jar Icache file. For example: 


LogJavaClassPath=/opt/novell/idm/rbpm/ 
UserApplication/NAuditPA. jar 


NOTE: When you install and configure Identity Applications, by default, the 
idmuserapp_logging. xml file is created at /opt/netiq/idm/apps/tomcat/conf directory. You 
must manually add the following parameter in the file to ensure that the Naudit events for User 
Application are sent to Sentinel: 


<param name="ApplicationDetail" value="DirXML"/> 
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Configuring Identity Manager 
Components to Log Audit Events in CEF 
Format 


Identity Manager introduces Common Event Format (CEF), an open log management standard, for 
auditing events across all Identity Manager components. CEF enables you to use a common event 
log format so that auditing data can easily be collected and aggregated for further analysis. CEF 
format uses the Syslog message format as a transport mechanism. 


The following Identity Manager components support auditing with CEF: 


¢ Identity Vault (eDirectory) 

¢ Identity Manager Engine 

+ Remote Loader 

+ .NET and Java Remote Loader 
+ Fanout Agent 

¢ Identity Applications 

¢ Data Collection Services (DCS) 
+ OSP 


NOTE: In Identity Manager 4.7, Identity Reporting does not support auditing through CEF and 
Platform Agent. 


Advantages of CEF 


Previous versions of Identity Manager used a combination of different auditing solutions. Some 
components supported traditional auditing while others supported XDAS specification. Identity 
Manager 4.7 introduces CEF to provide a uniform auditing solution across all Identity Manager 
components that can help improve your experience of configuring and working with auditing. 


CEF uses a standard Syslog message format that simplifies log management. This enables you to 
integrate disparate Identity Manager data in your enterprise. The new event format seamlessly 
integrates with Sentinel. 


Setting up CEF Configuration 


After you install Identity Manager, ensure that all Identity Manager components are configured to 
generate the CEF events. To configure the components, see the following sections: 


¢ “Configuring Identity Manager Engine” on page 24 
¢ “Configuring Remote Loader” on page 24 


¢ “Configuring .NET Remote Loader” on page 25 
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+ “Configuring Java Remote Loader” on page 25 
+ “Configuring Fanout Agent” on page 25 
+ “Configuring Identity Applications” on page 25 


+ “Configuring Data Collection Services” on page 26 


IMPORTANT: If Identity Manager loses communication with the Sentinel server, Java Remote 
Loader, Fanout agent, and DCS events are not logged in the cache file for an approximate duration of 
two minutes. After the connection is restored, any cached events are sent to Sentinel after a delay of 
two minutes. There is no loss of events when Sentinel is normally shut down. 


The CEF configuration settings are stored in a simple, text-based files for each component. For more 
information, see Understanding the Properties Files for CEF Auditing. 


Before configuring the Identity Manager components, ensure that the Identity Manager collector is 
configured in the Sentinel server. CEF support is introduced from Identity Manager collector version 
2011.1r5 onwards. For information about installing and configuring the Identity Manager collector, 
see Installing and Configuring the Identity Manager Collector. 


Configuring Identity Manager Engine 


NOTE: After modifying the auditlogconfig.properties file, manually restart the Identity Vault. 


The Identity Manager engine provides events for auditing. 
To select events for auditing in CEF, use iManager. 


Log in to iManager. 


Select Identity Manager Administration > Identity Manager Overview. 


1 
2 
3 Browse to and select the driver set object that contains the driver. 
4 Select the driver set objects that contains the driver. 

5 


Click Driver Set and then click Edit Driver Set properties. 


6 Click the Log Level tab, select the Log specific events radio button, and then click EA. 
Select the CEF radio button. 


N 


8 Select the events you want to log and click OK. 


By default, the auditlogconfig.properties.template for Identity Manager Engine is located in 
the following directories: 


Linux: /etc/opt/novell/eDirectory/conf/ 
Windows: C:\netig\eDirectory 


For the list of Identity Manager engine events, see Engine Events. 


Configuring Remote Loader 


By default, the auditlogconfig.properties.template for Remote Loader is located in the 
following directories: 


Linux: /etc/opt/novell/eDirectory/conf/ 
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Windows: \products\IDM\windows\setup\remoteloader\<processor_type>\ 


For the list of Remote Loader events, see Remote Loader Events. 


Configuring .NET Remote Loader 


The .NET Remote Loader is applicable for Windows only. 


By default, the auditlogconfig.properties.template for .NET Remote Loader is located at the 
products\IDM\windows\setup\remoteloader.NET directory: 


Configuring Java Remote Loader 


NOTE: Ensure that the Rolling File Appender directory exists for Java Remote Loader. Otherwise, 
events are not logged. 


The auditlogconfig.properties.template for Java Remote Loader is located in the following 
directories: 


Linux: <extracted loc of dirxml_jremote.tar.gz>/doc 
dirxml_jremote.tar.gz is located at IDM/packages/java_remoteloader 
Windows: <extracted loc of dirxml_jremote.tar.gz>/doc 
dirxml_jremote.tar.gz is located at products/IDM/java_remoteloader 
To run the Java Remote Loader, specify the following command: 


dirxml_jremote -config <Remote Loader configuration file> -auditlogfile /<PATH of 
the directory where auditlogconfig.properties file is located>/ 
auditlogconfig.properties 


For a list of Java Remote Loader events, see Remote Loader Events. 
Configuring Fanout Agent 


NOTE: Ensure that the Rolling File Appender directory exists for Fanout Agent. Otherwise, events 
are not logged. 


When you run the Fanout agent for the first time, the auditlogconfig.properties.template file is 
created and located in the following directories: 


Linux: /opt/novell/dirxml/fanoutagent/config 
Windows: <install-location>\FanoutAgent\config 


For the list of events, see Fanout Agent Events. 


Configuring Identity Applications 


The configuration settings for the identity applications logging are stored in the 
idmuserapp_logging. xml file, which is located by default in the following directories: 


Linux: /opt/netiq/idm/apps/tomcat/conf 
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Windows: C: \netigq\idm\apps\tomcat\conf 


NOTE: Restart Tomcat manually after configuring the idmuserapp_logging. xml file. 


You must manually add the following in the idmuserapp_logging. xml] file. 


<appender class="com.netiq.idm.logging.syslog.CEFSyslogAppender" name="CEF"> 
<param name="Threshold" value="ALL"/> 
<param name="Facility" value="user"/> 
<param name="SyslogHost" value="<IP address of your Sentinel server>"/> 
<param name="SyslogPort" value="<sentinel TCP port>"/> 
<param name="SyslogProtocol" value="ssl"/> 
<param name="SyslogSslKeystoreFile" value="/opt/netig/idm/jre/1lib/ 
security/cacerts"/> 
<param name="SyslogSslKeystorePassword" value="changeit"/> 
<param name="CacheDir" value="/opt/netig/idm/apps/tomcat/cache"/> 
<param name="CacheRolloverSize" value="1024"/> 
<param name="ApplicationName" value="RBPM"/> 
<param name="EventPrefix" value="IDM:"/> 
</appender> 


For the list of identity applications events, see User Application Events. 


Configuring Data Collection Services 


The configuration settings for DCS auditing is stored in the idmrptdcs_logging. xml file. By default, 
the file is located in the following directories: 


NOTE: Once you configure the idmrptdcs_logging. xml file, restart Tomcat manually. 


Linux: /opt/netig/idm/apps/tomcat/conf 


Windows: C: \netigq\idm\apps\tomcat\conf 


NOTE: Ensure that you set the novlua permission for the Rolling File Appender directory and cache 
directory. Otherwise, Rolling File Appender or the cache directory will not work and no events will be 
logged. For example, you can change the permission and ownership of the directory using the chown 
novlua:novlua /<directorypath> command, where <directorypath> is the Rolling File 
Appender path or cache file directory path. 


For a list of DCS events, see DCS Events. 
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Securing the Logging System 


The Sentinel server and some of the Identity Manager components utilize embedded certificates 
generated by an internal Certificate Authority (CA). These SSL certificates ensure that 
communication between the Identity Manager instrumentation and the Sentinel server is secure. 


To create a SSL certificate, perform the following actions: 


1 Download the public certificate in .der format from the Sentinel server. 


For example, if you are using Mozilla Firefox as your browser that already has a certificate, use 
the following procedure to download the certificate. 


1a Launch the Sentinel Server in your browser. 
1b Click Show site information > View Certificate. 
1c Go to Details tab and export the certificate in .der format. 
2 Add the certificate to the Java keystore. 
For example, use the following command: 


keytool -import -file PATH_OF_DERFile\PublickeyCert.der -keystore 
KEYSTOERPATH\NAME. keystore -storepass keystorepass 


The next step is to define which events to log. Proceed to “Managing Identity Manager Events” on 
page 29. 
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Managing Identity Manager Events 


The event information sent to NetIQ Sentinel is managed through product-specific instrumentations, 
or plug-ins. The Identity Manager Instrumentation allows you to configure which events are logged to 
your data store. You can select predefined log levels, or you can individually select the events you 
want to log. You can also add user-defined events to the Identity Manager schema. 


The following sections review how to manage Identity Manager events: 


¢ “Selecting Events to Log” on page 29 
+ “User-Defined Events” on page 33 
¢ “eDirectory Objects that Store Identity Manager Event Data” on page 36 


Selecting Events to Log 


The Identity Manager Instrumentation allows you to select events to be logged for the User 
Application, driver set, or a specific driver. 


NOTE: Drivers can inherit logging configuration from the driver set. 


¢ Selecting Events for the User Application 
¢ Selecting Events for the Driver Set 
¢ Selecting Events for a Specific Driver 


¢ Identity Manager Log Levels 


Selecting Events for the User Application 


The User Application enables you to change the log level settings of individual loggers and enable 
logging in Platform Agent and CEF format: 

1 Log in to Identity Applications. 

2 Select the Application tab. 

3 Select the Navigation and Access link. 

4 Click Application Configuration and then click Logging. 


Alternatively, you can log in to the User Application (IDMProv portal), select the Administration 
tab, and then click Logging. 


Managing Identity Manager Events 29 


30 


- Logging Configuration 


Log Level 
Info v 
[ino v] 
[Ino v] 
[ino Y] 
Info v 
Info v 
Info v 
Info v 
Info v 
Info v 
Info v 
Info v 
Info å v 
Info v 
Info ¥ 
Info v 
Info v 
Info å v 
Info v 
Info v 
Info v 
Info v 
Info å v 
Info å v 
Info v 
Info v 


Log Name 
com.novell 


com.netig 
com.novell.afw.portal_persist 
com.novell.afw.portal.util 
com.novell.afw.portiet.core 
com.novell.afw.portiet. producer 
com.novell.afw.theme 
com.novell.common.auth 
com.novell.pwdmgt.actions 
com.novell.pwdmat.service 
com.novell.roa.resources 
com.novell.soa.script 
com.novell.srvprv.apwa 
com.novell.srvprv.impl_portiet.util 
com.novell.srvprv.impl.uictrl 
com.novell.srvprv.impl_vdata.definition 
com.sssw.fw.cachemgr 
com.sssw.fw.directory 
com.sssw.fw.factory 
com.sssw.fw.resource 
com.sssw.fw.server 
com.sssw.fw.session 
com.sssw.fw.util 
com.sssw.portal.persist 
com.novell.idm.nrf.service 
com.novell.srvprv.spi.uictri 


Log Level 


Y 


v 


v 


Add log level for package | com.netig.cis.index 


v| 


© Change log level of all above logs 


Select the box below to send logging messages in CEF format as well. 
© Enable CEF format 


Select the box below to persist the logging changes. 
©) Persist the logging changes 


5 Select one of the following log levels for the listed logs. 
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You can change the logging level by selecting a different level for the log and clicking the submit button. 


Log Name 

com.sssw 
com.novell.afw.portal.aggregation 
com.novell.afw.portal.portiet 
com.novell.afw.portiet.consumer 
com.novell.afw.portlet.persist 
com.novell.afw.portiet. util 
com.novell.afw.util 


com.novell.idm.security.authorization.service 


com.novell.pwdmgt.util 
com.novell.pwdmat.soap 
com.novell.soa.af.impl 
com.novell.soa.ws.impl 
com.novell.srvprv.impl.portiet 
com.novell.srvprv.impl_serviet 
com.novell.srvprv.impl.vdata.model 
com.novell.srvprv.spi 
com.sssw.fw.core 
com.sssw.fw.event 
com.sssw.fw.persist 
com.sssw.fw.security 
com.sssw.fw.serviet 
com.sssw.fw.usermgr 
com.sssw.portal.manager 
com.novell.idm.nrf.persist 
com.novell.srvprv.impl_uictri 


Logging messages are being sent to audit service as well. Deselect the box below to stop sending logging messages to audit service. 
) Enable audit service 


Log Level Description 


Fatal Writes Fatal level messages to the log. 

Error Writes Fatal and Error level messages to the log. 

Warn Writes Fatal, Error, and Warn level messages to the log. 

Info Writes Fatal, Error, Warn, and Info level messages to the log. 

Debug Writes Fatal, Error, Warn, Info, and debugging information to the log. 

Trace Writes Fatal, Error, Warn Info, debugging, and tracing information to the log. 


6 Select the Enable audit service check box to send the events to Platform Agent. 
7 Select Enable CEF format check box if you want to log the events in CEF format. 


For this option to work, you must add the Syslog appender in the idmuserapplogging. xml file 
during the installation of the User Application. For more information, see Section 6, “Configuring 
Identity Manager Components to Log Audit Events in CEF Format,” on page 23. 


8 To save the changes for any subsequent application server restarts, select Persist the logging 
changes. 


9 Click Submit. 


The User Application logging configuration is saved in /opt/netig/idm/apps/tomcat/conf/ 
idmuserapp_logging. xml. 


Selecting Events for the Driver Set 


1 In iManager, select Identity Manager > Identity Manager Overview. 
2 Browse to and select the driver set object. 


3 Click the driver set object in the list of driver sets, then click Driver Set > Edit Driver Set 
properties. 


4 Click the Log Level tab, then select a log level for the driver set. 
For an explanation of each log level, see Table 8-1, “Identity Manager Log Levels,” on page 32. 


5 Enable the Turn off logging to Driver Set, Subscriber and Publisher logs option to prevent 
logging audit events to eDirectory. 


Enabling this option improves the performance of the Identity Manager system. 


6 Click Apply or OK to save your changes. 


NOTE: Changes to configuration settings are logged by default. 


Selecting Events for a Specific Driver 


1 In iManager, select Identity Manager > Identity Manager Overview. 

2 Browse to and select the driver set object that contains the driver 

3 Select the driver set from the list of driver sets. 

4 Click the upper right corner of the driver icon, then select Edit properties. 
5 Select the Log Level tab. 
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6 (Optional) By default, the Driver object is configured to inherit log settings from the Driver Set 
object. To select logged events for this driver only, deselect Use log settings from the Driver Set. 


se log settings from the Driver Set, DriverSet.novell 
The following log settings are from the Driver Set and cannot be changed on this page. To modify the Driver Set's 
settings, click here. 


7 Enable the Turn off logging to Driver Set, Subscriber and Publisher logs option. 
Enabling this option improves the performance of the Identity Manager system. 
8 Select a log level for the current driver. 
For an explanation of each log level, see Table 8-1, “Identity Manager Log Levels,” on page 32. 


9 Click Apply or OK to save your changes. 


NOTE: Changes to configuration settings are logged by default. 


Identity Manager Log Levels 


The following table provides an explanation of the Identity Manager Instrumentation log levels: 
Table 8-1 Identity Manager Log Levels 


Option Description 


Log errors This is the default log level. The Identity Manager Instrumentation logs 
user-defined events and all events with an error status. 


You receive only events with a decimal ID of 196646 and an error 
message stored in the Text1 field. 


Log errors and The Identity Manager Instrumentation logs user-defined events and all 
warnings events with an error or warning status. 


You receive only events with a decimal ID of 196646 or 196647 and an 
error or warning message stored in the first text field. 


Log specific events This option allows you to select the Identity Manager events you want to 
log. 
Click Z to select the specific events you want to log. After you select 
the events you want to log, click OK. 


To log events through Platform Agent, select the Novell Audit radio 
button. To log the events in CEF format, select the CEF radio button. 


NOTE: User-defined events are always logged. 


For a list of all available events, see Appendix A, “Identity Manager 
Events,” on page 41. 


Only update the last The Identity Manager Instrumentation logs only user-defined events. 


log time 
When an event occurs, the last log time is updated so you can view the 
time and date of the last error in the status log. 

Logging off The Identity Manager Instrumentation logs only user-defined events. 
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Option 


Turn off logging to 
DriverSet, 
Subscriber and 
Publisher logs 


Maximum Number 


Description 


Turns off logging to the Driver Set object, Subscriber, and Publisher logs. 


This setting allows you to specify the maximum number of entries to log 


of Entries in the Log in the status logs. 


User-Defined Events 


Identity Manager enables you to configure your own events to log to NetIQ Sentinel. Events can be 
logged by using an action in the Policy Builder, or within a style sheet. Any information you have 


access to when defining policies can be logged. 


User-defined events are logged any time logging is enabled and are never filtered by the Identity 


Manager engine. There are two different ways to generate user-defined events: 


+ “Using Policy Builder to Generate Events” on page 33 


+ “Using Status Documents to Generate Events” on page 36 


Using Policy Builder to Generate Events 


1 Inthe Policy Builder, define the condition that must be met to generate the event, then select the 


Generate Event action. 


2 Specify an event ID. 


Event IDs between 1000 and 1999 are allotted for user-defined events. You must specify a value 


within this range for the event ID when defining your own events. This ID is combined with the 


Identity Manager application ID of 003. 


3 Select a log level. 
Log levels enable you to group events based on the type of event being logged. The following 


predefined log levels are available: 


Log Level 
log-emergency 
log-alert 


log-critical 


log-error 


log-warning 


log-notice 


log-info 


log-debug 


Description 
Events that cause the Identity Manager engine or driver to shut down. 
Events that require immediate attention. 


Events that can cause parts of the Identity Manager engine or driver to 
malfunction. 


Events describing errors that can be handled by the Identity Manager 
engine or driver. 


Negative events not representing a problem. 


Positive or negative events an administrator can use to understand or 
improve use and operation. 


Positive events of any importance. 


Events of relevance for support or for engineers to debug the Identity 
Manager engine or driver. 
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4 Click the icon next to the Enter Strings field to launch the Named String Builder. 


In the Named String Builder, you can specify the string, integer, and binary values to include with 
the event. 


5 Use the Named String Builder to define the event values. 


Edit ~ | Append New String | Remove... 

[name:* |text1 | @| String vawe:* |Operation Attribute("Given Name") 
[name:* |text2 e String value:* |Operation() 

[name:* |valuet (a String value:* |"1000" 


The Identity Manager event structure contains a target, a subTarget, three strings (text1, text2, 
text3), two integers (value1, value3), and a generic field (data). The text fields are limited to 256 
bytes, and the data field can contain up to 3 KB of information, unless a larger data field is 


enabled in your environment. 
The following table provides an explanation of the Identity Manager event structure: 
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Field 


target 


target-type 


subTarget 


text1 


text2 


text3 


value1 


value3 


data 


Description 


This field captures the event target. 
All eDirectory events store the event’s object in the Target field. 


This field specifies which predefined format the target is represented in. 
Defined values for this type are as follows: 


+ 0: None 


+ 


1: Slash Notation 
+ 2: Dot Notation 
+ 3: LDAP Notation 


This field captures the subcomponent of the target that was affected by the 
event. 


All eDirectory events store the event's attribute in the SubTarget field. 


The value of this field depends upon the event. It can contain any text string up 
to 255 characters. 


The value of this field depends upon the event. It can contain any text string up 
to 255 characters. 


The value of this field depends upon the event. It can contain any text string up 
to 255 characters. 


The value of this field depends upon the event. It can contain any numeric 
value up to 32 bits. 


The value of this field depends upon the event. It can contain any numeric 
value up to 32 bits. 


The value of this field depends upon the event. The default size of this field is 
3072 characters. 


You can configure the size of this field in the LogMaxBigData value in 
logevent .cfg. This value does not set the size of the Data field, but it does 
set the maximum size that the Platform Agent can log. For more information, 
see Chapter 5, “Installing and Configuring the Platform Agent,” on page 19. 


The maximum size of the Data field is defined by the database where the data 
is logged, so the size varies for each database that is used. If the size of the 
Data field logged by the Platform Agent exceeds the maximum size allowed by 
the database, the channel driver truncates the data in the Data field. 


If an event has more data than can be stored in the String and Numeric value 
fields, it is possible to store up to 3 KB of binary data in the Data field. 


6 Click OK to return to the Policy Builder to construct the remainder of your policy. 


For more information and examples of the Generate Event action, see “Generate Event” in the Net/Q 
Identity Manager - Using Designer to Create Policies guide. 
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Using Status Documents to Generate Events 


Status documents generated through style sheets using the <xs1:message> element are sent to 
Sentinel with an event ID that corresponds to the status document level attribute. The level attributes 
and corresponding event IDs are defined in the following table: 


Table 8-2 Status Documents 


Status Level Status Event ID 

Success EV_LOG_STATUS_SUCCESS (1) 
Retry EV_LOG_STATUS_RETRY (2) 
Warning EV_LOG_STATUS_WARNING (3) 
Error EV_LOG_STATUS_ERROR (4) 
Fatal EV_LOG_ STATUS _FATAL (5) 
User Defined EV_LOG_STATUS_OTHER (6) 


The following example generates an event 0x004 and value1=7777, with a level of 
EV_LOG_STATUS_ERROR: 


<xsl:message> 

<status level="error" texti="This would be texti" value1="7777">This data would 
be in the blob and in text 2, since no value is specified for text2 in the 
attributes.</status> 
</xsl:message> 


The following example generates an event 0x004 and value1=7778, with a level of 
EV_LOG_STATUS_ERROR: 


<xsl:message> 

<status level="error" texti="This would be text1i" text2="This would be text2" 
valuei="7778">This data would be in the blob only for this case, since a value for 
text2 is specified in the attributes.</status> 
</xsl:message> 


eDirectory Objects that Store Identity Manager Event 
Data 


The Identity Manager events you want to log are stored in the DirXML-LogEvent attribute on the 
Driver Set object or Driver object. The attribute is a multi-value integer with each value identifying an 
event ID to be logged. 


You do not need to modify these attributes directly, because these objects are automatically 
configured based on your selections in iManager. 


Before logging an event, the engine checks the current event type against the content of the DirXML- 
LogEvent attribute to determine whether the event should be logged. 


Drivers can inherit log settings from the driver set. The DirXML-DriverTraceLevel attribute of a Driver 
object has the highest precedence when determining log settings. If a Driver object does not contain 
a DirXML-DriverTraceLevel attribute, the engine uses the log settings from the parent driver set. 
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In addition to the functionality provided by Sentinel, Identity Manager logs a specified number of 
events on the driver set and the driver. These status logs provide a view of recent Identity Manager 
activity. After the log reaches the set size, the oldest half of the log is permanently removed to clear 
room for more recent events. Therefore, any events you want to track over time should be logged to 
Sentinel. 


The following sections contain information on the Identity Manager logs: 


¢ “Setting the Log Level and Maximum Log Size” on page 37 
+ “Viewing Status Logs” on page 39 


Setting the Log Level and Maximum Log Size 


Status logs can be configured to hold between 50 and 500 events. This setting can be configured for 
the driver set to be inherited by all drivers in the driver set, or configured for each driver in the driver 
set. The maximum log size operates independently of the events you have selected to log, so you 
can configure the events you want to log for the driver set, then specify a different log size for each 
driver in the set. 


This section reviews how to set the maximum log size on the driver set or an individual driver: 


¢ “Setting the Log Level and Log Size for the Driver Set” on page 37 
+ “Setting the Log Level and Log Size for the Driver” on page 38 


Setting the Log Level and Log Size for the Driver Set 


1 In iManager, select Identity Manager > Identity Manager Overview. 
2 Browse to and select the driver set. 
3 Click the driver set name to access the driver set overview page. 


4 Select Driver Set > Edit Driver Set properties. 


Driver Set Overview 
Driver Set: |driverset1.system 


Libraries Jobs Dashboard 


i Driver Set v 1 Servers ~ | Refresh 


x| 


Edit Driver Set properties 
eDirectory 


View status log 
Dir|Edit Driver Set properties 
Version information... 
Export... 


5 Select Log Level. 
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eee Toe General \ 


Named Passwords | Global Config Values | | Status Log | 


Log Level 


© Log errors 
© Log errors and warnings 
E > 


Log specific events E4 
®© Log XDAS events 4 
© Only update the last log time 
© Logging off 
[7 Turn off logging to Driver Set, Subscriber and Publisher logs. 
Maximum number of entries in the log (50 - 500): | 


6 Enable the Turn off logging to Driver Set, Subscriber and Publisher logs option to prevent 
logging audit events to eDirectory. 


Enabling this option improves the performance of the Identity Manager system. 
7 Specify the maximum log size in the Maximum number of entries in the log field: 


Aaximum number of entries in the log [50 - 500); 


8 After you have specified the maximum number, click OK. 


Setting the Log Level and Log Size for the Driver 


1 In iManager select Identity Manager > Identity Manager Overview. 

2 Browse to and select the driver set. 

3 Click the driver set to access the driver set overview page. 

4 Click the upper right corner of the driver icon, then select Edit properties. 


} Overview | Libraries Jobs Dashb 


Drivers ~ | Driver Set ~ | Servers w 


Get current status 
` 
Health configuration 
Statistics 

Delete driver 


Open Driver Overview 


5 Select Log Level. 
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6 Deselect Use log settings from the driver set option, if it is selected. 
7 Specify the maximum log size in the Maximum number of entries in the log field: 


A\aximum number of entries in the log (50 - 500); |50 


8 After you have specified the maximum number, click OK. 


Viewing Status Logs 


The status logs are short-term logs for the driver set, the Publisher channel, and the Subscriber 
channel. They are accessed through different locations in iManager. 


+ “Accessing the Driver Set Status Log” on page 39 
+ “Accessing the Publisher Channel and Subscriber Channel Status Logs” on page 40 


Accessing the Driver Set Status Log 


The status log for the driver set contains only messages generated by the engine, such as state 
changes for any drivers in the driver set. All engine messages are logged. There are two ways to 
access the driver set status log: 


+ “Viewing the Log from the Driver Set Overview Page” on page 39 
e “Viewing the Log from the Driver Overview Page” on page 39 


Viewing the Log from the Driver Set Overview Page 


1 In iManager, select Identity Manager > Identity Manager Overview. 
2 Browse to and select the driver set. 
3 Click the driver set to access the driver set overview page. 


4 Select Driver Set > View status log. 


Libraries Jobs Dashboard 


Drivers ~ | Driver Set ~ | Serversw | Re 


Driver Set [x 


Edit Driver Set properties 


View status log 


DINGWL Script Tracing... 
Version information... 


Viewing the Log from the Driver Overview Page 


1 In iManager, select Identity Manager > Identity Manager Overview. 

2 Browse to and select the driver set. 

3 Click the driver set to access the driver set overview page, then click any driver. 
The status log for the driver is stored on the driver overview page for each driver. 
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4 Click the Driver Set Status Log icon above the driver object. 


Advanced Jobs 


Export... | Migrate ~ | Synchronize... | DinGWLh Script Tracing... | Servers ~ 


jerver: metaserver1,metaserver1.servers.system 


Accessing the Publisher Channel and Subscriber Channel 
Status Logs 


The status logs for the Publisher and Subscriber channels report channel-specific messages 
generated by the driver, such as an operation veto for an unassociated object. 


To access the Publisher channel and the Subscriber channel logs: 


1 In iManager, select Identity Manager > Identity Manager Overview. 

2 Browse to and select the driver set. 

3 Click the driver set to access the driver set overview page. 

4 Click the desired driver object. 

5 Click the Publisher channel or the Subscriber channel status log icon. 


Advanced Jobs 


Export... | Migrate ~ | Synchronize... | DiPWL Script Tracing... | Servers w 


Server: metaserverl. metaserver1.servers.system 
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A Identity Manager Events 


This section provides a listing of all events logged by Identity Manager. 


+ “CEF Events” on page 41 

¢ “Event Structure” on page 44 

+ “Remote Loader Events” on page 44 
+ “Engine Events” on page 44 

+ “Fanout Agent Events” on page 47 

+ “User Application Events” on page 47 
¢ “DCS Events” on page 50 


CEF Events 


The following table lists the CEF events that can be audited through Sentinel: 


Table A-1 CEF Events 


CEF Event ID Description 
00030001 Status Success 
00030002 Status Retry 
000307DE Notify Job Update 
000303E4 Job Result Aborted 
000303E5 Job Result Error 
000303E6 Job Result Warning 
000303E7 Job Result Success 
00030003 Status Warning 
00030004 Status Error 
00030005 Status Fatal 
00030006 Status Other 
00030026 DirXML Error 
00030027 DirXML Warning 
00030028 Custom Operation 
000307DD Initialize Driver Object 
000307D1 Config:Driver Cache Limit 
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CEF Event ID 


000307D2 
000307D0 
000307D3 
00030008 
0003002F 
0003002E 
0003002A 
0003002B 
00030029 
00030009 
000307DB 
00030007 
0003000F 
0003000A 
0003000B 
0003002C 
0003000C 


0003000D 
0003000E 
00030020 
000307D5 
000307D4 


000307DF 
000307E0 
00030014 
00030015 
00030016 
00030017 
00030018 
00030019 
0003001A 


Identity Manager Events 


Description 


Config:Driver Set 
Config:Log Events 
Config:Driver Start Option 
Add Entry 

Add Value - Add Entry 
Reset Attributes 

Add Value - Modify Entry 
Remove Value 

Clear Attribute 

Delete Entry 

Cache Utility 

Search 

Query Schema 

Modify Entry 

Rename Entry 

Merge Entries 


Move Entry 


Add Association 
Remove Association 
Resync Driver 
Migrate Application 


Driver Resync 


Open Driver Action 

Queue Driver Event 

Input XML Document 

Input Transformation Document 

Output Transformation Document 

Event Transformation Document 
Placement Rule Transformation Document 
Create Rule Transformation Document 


Input Mapping Rule Transformation Document 


CEF Event ID 


0003001B 


0003001C 


0003001D 


0003001E 


0003001F 


00030021 


00030022 


000307E1 


00030BB8 


000307E2 


00030023 


00030BB9 


00030010 


00030011 


00030013 


0003002D 


000307DA 


000307DC 


00030012 


00030024 


00030025 


00030030 


00030031 


00030032 


000307D6 


000307D7 


000307D8 


000307D9 


00030BBA 


00030BBB 


Description 


Output Mapping Rule Transformation Document 
Matching Rule Transformation Document 
Command Transformation Document 

Publisher Filter Transformation Document 

User Agent Request 


Migrate 


Driver Start 

Start Job 

Remote Loader Start 
Abort Job 

Driver Stop 


Remote Loader Stop 


Check Password 

Check Object Password 
Sync 

Get Named Password 
Get Server Certificate 
Check Object Password 
Change Password 
Password Sync 
Password Reset 

Set SSO Credential 
Clear SSO Credential 
Set SSO Passphase 
Shim Password Set 
Keyed Password Set 
Remote Loader Password Set 


Regenerate Key Pair 


Remote Loader Connection Established 


Remote Loader Connection Dropped 
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Event Structure 


All events logged through Sentinel have a standardized set of fields. This allows Sentinel to log 
events to a structured database and query events across all logging applications. 


Identity Manager events provide information in the following field structure: 


CEF:Version|Device Vendor|Device Product|Device Version|Signature 
ID|Name|Severity|Extension 


Remote Loader Events 


The following table lists the Remote Loader events that can be audited through Sentinel: 


Table A-2 Remote Loader Events 


Event ID 


0030BB8 


0030BB9 


0030BBA 


0030BBB 


0030026 


Description Trigger 

Remote Loader Start Occurs when the Remote Loader starts. 

Remote Loader Stop Occurs when the Remote Loader stops. 

Remote Loader Connection Occurs when the engine establishes a TCP connection with 
Established the Remote Loader. 

Remote Loader Connection Occurs when the engine-to-Remote Loader connection is 
Dropped lost. 


Command Port is already in use Occurs when you try to start the remote loader when it is 


already running. 


Invalid Response to challenge Occurs when you specify an incorrect password. 
during command authentication 


Engine Events 


The following table lists the engine events that can be audited through Sentinel: 


Table A-3 Engine Events 


Event ID 


0030001 


0030002 


0030003 


0030004 


Description 


Status Success 


Status Retry 


Status Warning 


Status Error 
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Trigger 


Many different events can cause the status success event to occur. It usually 
signifies that an operation was successfully completed. 


Many different events can cause the status retry event to occur. It signifies an 
operation was not completed and the operation must be tried again later. 


Many different events can cause the status warning event to occur. It usually 
signifies that an operation was completed with minor problems. 


Many different events can cause the status error event to occur. It usually 
signifies that an operation was not completed successfully. 


Event ID 


0030005 


0030006 


0030007 


0030008 


0030009 


003000A 


003000B 


003000C 


003000D 


003000E 


003000F 


0030010 


0030011 


0030012 


0030013 


0030014 


0030015 


0030016 


0030017 


0030018 


0030019 


Description 


Status Fatal 


Status Other 


Search 


Add Entry 
Delete Entry 
Modify Entry 
Rename Entry 
Move Entry 
Add Association 


Remove 
Association 


Query Schema 


Check User 
Password Status 


Check Object 
Password 


Change 
Password 


Sync 


Input XML 
Document 


Input 
Transformation 
Document 


Output 
Transformation 
Document 


Event 
Transformation 
Document 


Placement Rule 
Transformation 
Document 


Create Rule 
Transformation 
Document 


Trigger 


Many different events can cause the status fatal event to occur. It usually 
signifies that an operation was not completed successfully and the engine or 
driver could not continue. 


Any status document processed with a level other than the five previously 
defined creates a status other event. These events can only be generated 
within a style sheet or rule. 


Occurs when a query document is sent to the Identity Manager engine or 
driver. 


Occurs when an object is added. 

Occurs when an object is deleted. 

Occurs when an object is modified. 

Occurs when an object is renamed. 

Occurs when an object is moved. 

Occurs when an association is added. It can happen on an add or a match. 


When an object is deleted, there is no remove association event. The remove 
association occurs when a User object is deleted in the disparate application, 
and the delete is then converted into a modify that removes the association. 


Occurs when a query schema operation is sent to the Identity Manager engine 
or driver. 


Manual function that is initiated via iManager to check the status of the user’s 
password. 


Occurs when a request is issued to check an object's password, other than the 
driver. 


Occurs when a request is issued to change the driver's password. 


Occurs when a sync event is requested. 


Generated whenever an input document is created by the engine or driver. 


Generated after the input transformation policies are processed, allowing the 
user to view the transformed document. 


Generated after the output transformation policies are processed, allowing the 
user to view the transformed document. 


Generated after the event transformation policies are processed, allowing the 
user to view the transformed document. 


Generated after the Placement rule policies are processed, allowing the user 
to view the transformed document. 


Generated after the Create rule policies are processed, allowing the user to 
view the transformed document. 
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Event ID 


003001A 


003001B 


003001C 


003001D 


003001E 


003001F 


0030020 


0030021 


0030022 


0030023 


0030024 


0030025 


0030026 


0030027 


0030028 


0030029 


003002A 


003002B 


003002C 


003002D 


003002E 


003002F 


Description 


Input Mapping 
Rule 
Transformation 
Document 


Output Mapping 
Rule 


Transformation 
Document 


Matching Rule 
Transformation 
Document 


Command 
Transformation 
Document 


Publisher Filter 
Transformation 
Document 


User Agent 
Request 


Resync Driver 
Migrate 

Driver Start 
Driver Stop 
Password Sync 


Password Reset 


DirXML Error 
DirXML Warning 


Custom 
Operation 


Clear Attribute 


Add Value - 
Modify Entry 


Remove Value 
Merge Entries 


Get Named 
Password 


Reset Attributes 


Add Value - Add 
Entry 
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Trigger 


Generated after the Schema Mapping rules are processed which convert the 
document to the eDirectory schema. 


Generated after the Schema Mapping rules are processed which convert the 
document to the applications schema. 


Generated after the Matching rule policies are processed, allowing the user to 
view the transformed document. 


Generated after the command transformation policies are processed, allowing 
the user to view the transformed document. 


Generated after processing the notify filter on the Publisher channel, allowing 
the user to view the transformed document. 


Occurs when a User Agent XDS command document is sent to the Driver on 
the Subscriber channel. 


Occurs when a resync request is issued. 

Occurs when a migrate request is issued. 

Occurs when a driver is started. 

Occurs when a driver is stopped. 

Generated when setting the distribution or simple password on an object. 


Generated when resetting the connected application password after a failed 
password sync operation. 


Generated whenever the engine throws an internal error. 
Generated whenever the engine throws an internal warning. 


Occurs when an unknown operation appears in an input document. An 
example of known operations would be an add, delete, or modify. 


Occurs when a modify operation contains a remove-all-value element. 


Occurs when a value is added during the modification of an object. 


Occurs when a modify operation contains a remove-value element. 
Occurs when two objects are being merged. 


Generated on a Get Named Password operation. 


Occurs when a Reset document is issued on the publisher or Subscriber 
channels. 


Occurs when a value is added during the creation of an object. 


EventID Description Trigger 
0030030 Set SSO 
Credential 
0030031 Clear SSO 
Credential 
0030032 Set SSO 
Passphrase 


Fanout Agent Events 


Occurs when a driver policy executes the do-set-sso-credential action. 


Occurs when a driver policy executes the do-clear-sso-credential action. 


Occurs when a driver policy executes the do-clear-sso-credential action. 


The following table lists the Fanout Agent events that can be audited through Sentinel: 


Table A-4_ Fanout Agent Events 


Event ID Description 

0030FAO Fanout Agent Start 

0030FA1 Fanout Agent Stop 

0030FA2 Service Start, Instance Service 
0030FA3 Service Stop, Instance Service 


User Application Events 


Trigger 


Occurs when the Fanout Agent starts. 
Occurs when the Fanout Agent stops. 
Occurs when the driver is started 


Occurs when the driver is stopped. 


The following table lists the User Application events that can be audited through Sentinel: 


Table A-5 User Application Events 


Event ID Description Trigger 

31400 Delete Entity 

31401 Update Entity 

31410 

31411 Change Password 
Success 

31420 Forgotten Password 
Change Failure 

31421 Forgotten Password 
Change Success 

31550 Login Success 

31551 Login Failure 

31430 Search Request 

31431 Search Saved 


Occurs when an entity is deleted 
Occurs when an entity is updated 
Change Password Failure Occurs when the password change fails 


Occurs when the password change succeeds 


Occurs when the forgotten password change fails 


Occurs when the forgotten password change succeeds 


Occurs when the login succeeds 
Occurs when the login fails 
Occurs when a search is initiated 


Occurs when a search is saved 
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Event ID 


31440 


31450 


31451 


31452 


31453 


31454 


31455 


31456 


31457 


31458 


31459 


003145A 


003145B 


003145C 


003145D 


3145 


003145F 


31470 


31471 


31472 


31520 


31521 


31522 


Description 


Create Entity 


Create Proxy Definition 
Success 


Create Proxy Definition 
Failure 


Update Proxy Definition 
Success 


Update Proxy Definition 
Failure 


Delete Proxy Definition 
Success 


Delete Proxy Definition 
Failure 


Create Delegatee 
Definition Success 


Create Delegatee 
Definition Failure 


Update Delegatee 
Definition Success 


Update Delegatee 
Definition Failure 


Delete Delegatee 
Definition Success 


Delete Delegatee 
Definition Failure 


Create Availability 
Success 


Create Availability Failure 


Delete Availability 
Success 


Delete Availability Failure 


Digital Signature 
Verification Request 


Digital Signature 
Verification Failure 


Digital Signature 
Verification Success 


Workflow Error 
Workflow Started 


Workflow Forwarded 
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Trigger 


Occurs when an entity is created 


Occurs when the creation of an entity definition succeeds 


Occurs when the creation of an proxy definition fails 


Occurs when an update to the proxy definition fails 


Occurs when an update to the proxy definition fails 


Occurs when the proxy definition is deleted successfully 


Occurs when the proxy definition is not deleted successfully 


Occurs when the creation of a delegatee definition succeeds 


Occurs when the creation of a delegatee definition fails 


Occurs when an update to the delegatee definition succeeds 


Occurs when an update to the delegatee definition fails 


Occurs when the delegatee definition is deleted successfully 


Occurs when the deletion of a delegatee definition fails 


Occurs when the creation of an availability succeeds 


Occurs when the creation of an availability fails 


Occurs when the deletion of an availability succeeds 


Occurs when the deletion of an availability fails 


Occurs when a digital signature request is verified. 


Occurs if a digital signature is invalid. 


Occurs upon successful verification of a digital signature. 


Occurs when there is a workflow error 
Occurs when the workflow starts 


Occurs when the workflow is forwarded 


Event ID Description Trigger 


31523 Workflow Reassigned Occurs when the workflow is reassigned 

31524 Workflow Approved Occurs when the workflow is approved 

31525 Workflow Refused Occurs when the workflow is refused 

31526 Workflow Ended Occurs when the workflow ends 

31527 Workflow Claimed Occurs when the workflow is claimed 

31528 Workflow Unclaimed Occurs when the workflow is not claimed 

31529 Workflow Denied Occurs when the workflow is denied 

003152A Workflow Completed Occurs when the workflow is completed 

003152B Workflow Timedout Occurs when the workflow timed out 

003152C User Message This is a user adhoc log message 

003152D Provision Error Occurs when there is an error in the provisioning step 

3152E Provision Submitted Occurs during the provisioning step on submission of entitlements. 

003152F Provision Success Occurs during the provisioning step on successful completion of the 
step 

31530 Provision Failure Occurs during the provisioning step upon failure of the step 

31531 Provision Granted Occurs during the provisioning step on granting of an entitlement 

31532 Provision Revoked Occurs during the provisioning step on the revoking of an entitlement 

31533 Workflow Retracted Occurs when the workflow is retracted 

31534 Workflow Escalated Occurs when the workflow is escalated 

31535 Workflow Reminder Sent Occurs when reminders are sent to addressees of a workflow task 

31536 Digital Signature Occurs whenever a digital signature is passed to the workflow engine 

31537 Workflow ResetPriority Occurs when the priority of a workflow task is reset. 

31538 Role Approved Occurs when a role is approved 

31539 Role Denied Occurs when a role is denied 


003153A SOD Exception Approved Occurs when an SOD exception is approved 
003153B SOD Exception Denied Occurs when an SOD exception is denied 
003153C Start Correlated Workflow Occurs when a correlated workflow is started 


003153D Role Request Submitted Occurs when a role request is submitted 


3153 Resource Approved Occurs when a resource is approved 

003153F Resource Denied Occurs when a resource is denied 

31540 Provision Already Exists 

31541 Resource Request Occurs when a request for a resource is submitted 
Submitted 

31542 Resource Provisioning Occurs when a resource provisioning workflow is submitted 
Workflow Submitted 
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Event ID 


Description 


Trigger 


31543 Resource Provisioning Occurs when a resource provisioning workflow fails 
Workflow Failed 

31600 Role Provisioning Occurs when a role is provisioned 

31601 Role Provisioning Failure Occurs when a role provisioning fails 

31610 Role Request Occurs when a role is requested 

31611 Role Request Failure Occurs when the request for a role fails 

31612 Role Request Workflow 

31613 SOD Exception Auto Occurs when the SOD exception is auto approved 
Approval 

31614 Retract Role Request Occurs when the role request is retracted 

31615 Retract Role Request Occurs when the retraction of a role request fails 
Failure 

31620 Entitlement Grant Occurs when the entitlement is granted 

31621 Entitlement Grant Failure Occurs when the entitlement grant fails 

31622 Entitlement Revoke Occurs when the entitlement is revoked 

31623 Entitlement Revoke Occurs when the entitlement revoke fails 


Failure 


DCS Events 


The following table lists Data Collection Service events that can be audited through Sentinel: 


Table A-6 DCS Events 


Event ID Description Trigger 

00031721 DCS Driver Registration Add Occurs when the DCS driver is added 
00031722 DCS Driver Registration Modify Occurs when the DCS driver is modified 
00031723 DCS Driver Collection enabled Occurs when the data collection is enabled 
00031724 DCS Driver Collection disabled Occurs when the data collection is disabled 
00031728 Data Collection Suspended Occurs when the data collection is suspended 
00031729 Data Collection Activated Occurs when the data collection is activated 
00031730 Data Collection Started Occurs when the data collection is started 
00031731 Data Collection Completed Occurs when the data collection is completed 
00031732 Data Collection Failed Occurs when the data collection fails 
00031733 Data Collection Requested Occurs when the data collection is requested 
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Understanding the Properties Files 
for CEF Auditing 


The appendix provides details about the properties files used by the different components of Identity 
Manager for auditing through CEF. 


Understanding the auditlogconfig.properties File 


The following Identity Manager components use auditlogconfig.properties file to store the CEF 
configuration: 

¢ Identity Vault 

¢ Identity Manager Engine 

e Java Remote Loader 


+ Fanout Agent 


NOTE: Identity Vault and Identity Manager support only one Syslog method for auditing at a time. You 
can either use CEF or XDAS for auditing these components. NetIQ recommends you to use CEF 
instead of XDAS. XDAS will be deprecated in the future. 


For information about the content of the audit properties file for each of these Identity Manager 
components, see the following sections: 


+ “Identity Manager Engine, Remote Loader, and .NET Remote Loader” on page 51 


+ “Java Remote Loader and Fanout Agent” on page 55 


Identity Manager Engine, Remote Loader, and .NET Remote 
Loader 


NOTE: To generate XDAS events for Remote Loader and Fanout agent, you must rename the 
auditlogconfig.properties file to a different name. For example, 
auditlogconfig.properties.temp. If auditlogconfig.properties and 

xdasconfig. properties coexist on the same computer, only CEF events are generated for that 
component. 


The following is a sample auditlogconfig. properties file for Identity Manager engine, Remote 
Loader, and .NET Remote Loader: 
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# Set the level of the root logger to DEBUG and attach appenders. 
#1o0g4j.rootLogger=debug, S, R 


# Defines appender S to be a SyslogAppender. 
#1094] .appender .S=0rg.apache .10g4j .net.SyslogAppender 


# Defines location of Syslog server. 
#log4j .appender .S.Host=localhost 
#lo0og4j .appender .S.Port=port 


# Specify protocol to be used (UDP/TCP/SSL) 
#lo0og4j .appender .S.Protocol=SSL 


# Specify SSL certificate file for SSL connection. 
# File path should be given with double backslash. 
#10g4j] .appender .S.SSLCertFile=/etc/opt/novell/mycert.pem 


# Minimum log-level allowed in syslog. 
#10g4j .appender .S. Threshold=INFO 


# Defines the type of facility. 
#1094] .appender .S.Facility=USER 


# Defines caching for SyslogAppender. 
# Inputs should be yes/no 
#10g4j .appender .S.CacheEnabled=yes 


# Cache location directory 
# Directory should be available for creating cache files 
#10g4j .appender .S.CacheDir=/var/opt/novell/eDirectory 


# Cache File Size 
# Cache File size should be in the range of 50MB to 4000MB 
#1094] .appender .S.CacheMaxFileSize=500MB 


# Layout definition for appender Syslog S. 
#1094] .appender.S.layout=org.apache.log4j.PatternLayout 
#10g4j] .appender.S.layout.ConversionPattern=%c: %m%n 


# Defines appender R to be a Rolling File Appender. 
#1094] .appender .R=org.apache.1log4j .RollingFileAppender 


# Log file for appender R. 
#10g4j .appender .R.File=/var/opt/novell/eDirectory/log/cef-events.log 


# Max size of log file for appender R. 
#10g4j .appender .R.MaxFileSize=100MB 


# Set the maximum number of backup files to keep for appender R. 
# Max can be 13. If set to zero, then there will be no backup files. 
#10g4j .appender .R.MaxBackupIndex=10 


# Layout definition for appender Rolling log file R. 
#1094] .appender .R. layout=org.apache.1log4j.PatternLayout 
#1094] .appender.R. layout .ConversionPattern=%d{MMM dd HH:mm:ss} %c %m%n 


NOTE: By default, the appenders are disabled. You need to manually enable them. 
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Before using the auditlogconfig. properties file, NetIQ recommends you to review the following 


considerations: 


+ The letters S and R specify Syslog Appender and Rolling File Appender respectively. 


¢ Entries in the auditlogconfig.properties file are not case sensitive. 


+ Entries in the auditlogconfig.properties file can appear in any order. 


+ Empty lines in the file are valid. 


+ Any line that starts with a hash (#) is commented out. 


The following table provides an explanation of each property in the auditlogconfig.properties 


file: 


Setting 


log4j.rootLogger 


log4j.appender.S 


log4j.appender.S.Host 


log4j.appender.S.Port 


log4j.appender.S.Protocol 


log4j.appender.S.SSLCertFile 


log4j.appender.S.Threshold 
log4j.appender.S.Facility 
log4j.appender.S.CacheEnabled 
log4j.appender.S.CacheDir 


log4j.appender.S.CacheMaxFileSize 


log4j.appender.S.layout 
log4j.appender.S.layout.ConversionPattern 
log4j.appender.R 


log4j.appender.R.File 


Description 


Sets the level of the root logger to debug and attaches an 
appender named R or S, where S specifies a Syslog appender 
and R specifies a Rolling File appender. 


Specifies the appender S to be a Syslog appender. 


Specifies the location of the Syslog server where audit events are 
logged. 


The port at which the Auditing server connects to the Syslog 
server. 


If the connection between Auditing server and the Syslog server 
fails, Identity Manager cannot log events until the connection is 
restored. 


Specifies the protocol to use. For example, UDP, TCP, or SSL. 
SSL is the default protocol. For enabling secure communication, 
see Chapter 7, “Securing the Logging System,” on page 27. 


Specifies the SSL certificate file for the SSL connection. Use 
double backslashes to specify the path of the file. This is an 
optional setting. 


Specifies the minimum log level allowed in the Syslog appender. 
Specifies the type of facility. 

Specifies caching for Syslog appender. 

Specifies the directory for storing the cache file. 


Specifies the size of the cache file. The range is 50 MB to 4000 
MB. 


Layout setting for Syslog appender. 
Layout setting for Syslog appender. 
Specifies appender R to be a Rolling File appender. 


The location of the log file for a Rolling File appender. 
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Setting Description 


log4j.appender.R.MaxFileSize The maximum size, in MBs, of the log file for a Rolling File 
appender. Set this value to the maximum size that the client 
allows. 


NOTE: The minimum size of the MaxFileSize parameter for the 
Rolling File appender is 50 MB. 


log4j.appender.R.MaxBackupIndex Specify the maximum number of backup files for a Rolling File 
appender. The maximum number of the backup files can be 10. A 
zero value means no backup files. 


log4j.appender.R.layout Layout setting for Rolling File appender. 


log4j.appender.R.layout.ConversionPattern Layout setting for Rolling File appender. 


Enabling the Syslog Appender 


1 Change the following entry to S to attach a Syslog appender: 
log4j.rootLogger=debug, S 
2 Uncomment the following entries: 


log4j .appender .S=org.apache.1log4j .net .SyslogAppender 


log4j.appender.S.Host=localhost 


log4j.appender.S.Port=port 
log4j .appender .S.Protocol=SSL 
log4j.appender.S.SSLCertFile=/etc/opt/novell/mycert.pem 
log4j .appender ..S. Threshold=INFO 
log4j.appender.S.Facility=USER 
log4j .appender .S.layout=org.apache.log4j.PatternLayout 
log4j.appender.S.layout.ConversionPattern%c: =%m%n 


3 Log in to iManager and change the log events. 


For more information on changing log levels by using iManager, see “Setting the Log Level and 
Maximum Log Size” on page 37. 


4 Restart eDirectory. 
Enabling the Rolling File Appender 


The Rolling File appender is preferred, if the auditing solution is limited to an individual server. Rolling 
file appender is more reliable compared to the Syslog appender because it uses the file connector to 
send events from your local file system to the auditing server. 


1 Change the following entry to R to attach a Rolling File appender: 
log4j.rootLogger=debug, R 


2 Uncomment the following entries: 
log4j .appender .R=org.apache.1log4j .RollingFileAppender 


log4j .appender .R.File=/var/opt/novell/eDirectory/log/cef-events.log 
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log4j .appender .R.MaxFileSize=100MB 

log4j .appender .R.MaxBackupIndex=10 

log4j .appender .R. layout=org.apache.log4j .PatternLayout 

log4j.appender .R.layout.ConversionPattern=%d{MMM dd HH:mm:ss} %c %m%n 


3 Log in to iManager and change log levels. 


For more information on changing log levels by using iManager, see “Setting the Log Level and 
Maximum Log Size” on page 37. 


4 Restart eDirectory. 


Java Remote Loader and Fanout Agent 


The following is a sample audit logconfig.properties file for the Java Remote Loader and the 
Fanout agent. 


# Defines location of Syslog server. 
#SyslogHost=localhost 
#SyslogPort=port 


# Specify protocol to be used (UDP/TCP/SSL) 
#SyslogProtocol=TCP 


# Specify SSL keystore file for SSL connection. 
# File path should be given with double backslash. 
#SyslogSSLKeystoreFile=/opt/netig/idm/jre/lib/security/cacerts 


# Specify SSL keystore password for SSL connection. 
#SyslogSSLKeystorePassword=password 


# Defines caching for SyslogAppender. 
# Inputs should be yes/no 
#CacheEnabled=yes 


# Cache location directory 
# Directory should be available for creating cache files 
#CacheDir=/tmp/IDMcache 


# Cache File Size 
# Cache File size should be in the range of 50MB to 4000MB 
#CacheRolloverSize=50 


# Log file for appender 
#FileAppenderFileName=/var/opt/novell/log/cef-events.log 


The following table provides an explanation of each property in the auditlogconfig.properties 
file: 


Setting Description 
SyslogHost Specifies the location of the Syslog server where audit events are 
logged. 


Understanding the Properties Files for CEF Auditing 55 


Setting 


SyslogPort 


SyslogProtocol 


SyslogSSLKeystoreFile 


SyslogSSLKeystorePassword 


CacheEnabled 


CacheDir 


CacheRolloverSize 


FileAppenderFileName 


AppendComponentName 


Description 


The port at which the Auditing server connects to the Syslog 
server. 


If the connection between Auditing server and the Syslog server 
fails, Identity Manager cannot log events until the connection is 
restored. 


Specifies the protocol to use. For example, UDP, TCP, or SSL. 


Specifies the SSL certificate file for the SSL connection. Use 
double backslashes to specify the path of the file. This is an 
optional setting. 


Specifies the keystore password for the SSL connection. 


Specifies caching for SyslogAppender. The values can be yes or 
no. 


Specifies the directory for storing the cache file. 


Specifies the size of the cache file. The range is 50 MB to 4000 
MB. 


Specifies the log file for appender. 


Specifies whether you want to append the component name before 
the event message. You can set this option to Yes if you are using 
Sentinel as your auditing solution. 


Understanding the idmuserapp_logging.xml File 


The following is a sample of the idmuserapp_logging. xml file: 


<logging xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xXS1:noNamespaceSchemaLocation="logging-config.xsd"> 


<prefix>[RBPM]</prefix> 


<!-- example of enabling TRACE level --> 


<!-- 


<logger name="com.novell.soa.af" additivity="true" level="TRACE"/> 


--> 


<!-- example of enabling Novell Audit Logging --> 
<!-- just add the Naudit appender to the level --> 


<!-- 


<logger name="com.novell" additivity="true" level="INFO"> 
<appender-ref ref="CONSOLE_DEBUG"/> 
<appender-ref ref="Naudit"/> 


</logger> 
--> 


<!-- Appender definitions --> 


<appenders> 


<!-- CONSOLE and FILE appender are defined in jboss-log4j.xml --> 
<!-- Novell Audit appender --> 
<appender class="com.netiq.logging.1log4j .NauditLog4jAppender" 


name="NAUDIT"> 


<param name="Threshold" value="ALL"/> 
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<param name="ApplicationDetail" value="DirXML"/> 
</appender> 
<!-- CEF appender --> 
<appender class="com.netiq.idm.logging.syslog.CEFSyslogAppender" 
name="CEF"> 
<param name="Threshold" value="ALL"/> 


</appender> 
</appenders> 
<!-- 
Logger definitions 
NOTE: CONSOLE & FILE appenders should be defined in (jboss-)log4j.xml file. 
Additivity of true means the loggers defined below will inherit the 
appenders. 
--> 
<loggers> 
<logger name="com.novell" level="INFO" additivity="true"> 
<!-- remove this line to turn on Novell Audit 


<appender-ref ref="NAUDIT"/> 

remove this line to turn on Novell Audit --> 
<!-- remove this line to turn on CEF auditing 
<appender-ref ref="CEF"/> 

remove this line to turn on CEF auditing --> 


</logger> 
<logger name="com.sssw" level="INFO" additivity="true"> 
<!-- remove this line to turn on Novell Audit 


<appender-ref ref="NAUDIT"/> 

remove this line to turn on Novell Audit --> 
<!-- remove this line to turn on CEF auditing 
<appender-ref ref="CEF"/> 

remove this line to turn on CEF auditing --> 


</logger> 
<logger name="com.netigq" level="INFO" additivity="true"> 
<!-- remove this line to turn on Novell Audit 


<appender-ref ref="NAUDIT"/> 
remove this line to turn on Novell Audit --> 
<!-- remove this line to turn on CEF auditing 
<appender-ref ref="CEF"/> 
remove this line to turn on CEF auditing --> 
</logger> 
<logger name="com.novell.afw.portal.aggregation" level="INFO" 
additivity="true"/> 
<logger name="com.novell.afw.portal.persist" level="INFO" 
additivity="true"/> 
<logger name="com.novell.afw.portal.portlet" level="INFO" 
additivity="true"/> 
<logger name="com.novell.afw.portal.util" level="INFO" additivity="true"/> 
<logger name="com.novell.afw.portlet.consumer" level="INFO" 
additivity="true"/> 
<logger name="com.novell.afw.portlet.core" level="INFO" additivity="true"/> 
<logger name="com.novell.afw.portlet.persist" level="INFO" 
additivity="true"/> 
<logger name="com.novell.afw.portlet.producer" level="INFO" 
additivity="true"/> 
<logger name="com.novell.afw.portlet.util" level="INFO" additivity="true"/> 
<logger name="com.novell.afw.theme" level="INFO" additivity="true"/> 
<logger name="com.novell.afw.util" level="INFO" additivity="true"/> 
<logger name="com.novell.common.auth" level="INFO" additivity="true"/> 
<logger name="com.novell.idm.security.authorization.service" level="INFO" 
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additivity="true"/> 
<logger name="com.novell.pwdmgt.actions" level="INFO" additivity="true"/> 
<logger name="com.novell.pwdmgt.util" level="INFO" additivity="true"/> 
<logger name="com.novell.pwdmgt.service" level="INFO" additivity="true"/> 
<logger name="com.novell.pwdmgt.soap" level="INFO" additivity="true"/> 
<logger name="com.novell.roa.resources" level="INFO" additivity="true"/> 
<logger name="com.novell.soa.af.imp1l" level="INFO" additivity="true"/> 
<logger name="com.novell.soa.script" level="INFO" additivity="true"/> 
<logger name="com.novell.soa.ws.impl" level="INFO" additivity="true"/> 
<logger name="com.novell.srvprv.apwa" level="INFO" additivity="true"/> 
<logger name="com.novell.srvprv.impl.portlet" level="INFO" 
additivity="true"/> 
<logger name="com.novell.srvprv.impl.portlet.util" level="INFO" 
additivity="true"/> 
<logger name="com.novell.srvprv.impl.servlet" level="INFO" 
additivity="true"/> 
<logger name="com.novell.srvprv.impl.uictr1" level="INFO" 
additivity="true"/> 
<logger name="com.novell.srvprv.impl.vdata.model" level="INFO" 
additivity="true"/> 
<logger name="com.novell.srvprv.impl.vdata.definition" level="INFO" 
additivity="true"/> 
<logger name="com.novell.srvprv.spi" level="INFO" additivity="true"/> 
<logger name="com.sssw.fw.cachemgr" level="INFO" additivity="true"/> 
<logger name="com.sssw.fw.core" level="INFO" additivity="true"/> 
<logger name="com.sssw.fw.directory" level="INFO" additivity="true"/> 
<logger name="com.sssw.fw.event" level="INFO" additivity="true"/> 
<logger name="com.sssw.fw.factory" level="INFO" additivity="true"/> 
<logger name="com.sssw.fw.persist" level="INFO" additivity="true"/> 
<logger name="com.sssw.fw.resource" level="INFO" additivity="true"/> 
<logger name="com.sssw.fw.security" level="INFO" additivity="true"/> 
<logger name="com.sssw.fw.server" level="INFO" additivity="true"/> 
<logger name="com.sssw.fw.servlet" level="INFO" additivity="true"/> 
<logger name="com.sssw.fw.session" level="INFO" additivity="true"/> 
<logger name="com.sssw.fw.usermgr" level="INFO" additivity="true"/> 
<logger name="com.sssw.fw.util" level="INFO" additivity="true"/> 
<logger name="com.sssw.portal.manager" level="INFO" additivity="true"/> 
<logger name="com.sssw.portal.persist" level="INFO" additivity="true"/> 
<logger name="com.novell.idm.nrf.persist" level="INFO" additivity="true"/> 
<logger name="com.novell.idm.nrf.service" level="INFO" additivity="true"/> 
<logger name="com.novell.srvprv.impl.uictr1" level="INFO" 
additivity="true"/> 
<logger name="com.novell.srvprv.spi.uictrl" level="INFO" additivity="true"/ 
> 
</loggers> 
</logging> 
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The following is a sample of the idmrptdcs_logging. xml file: 
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<logging> 

<!--Defines location of Syslog server.--> 
<!-- 

<SyslogHost>127.0.0.1</SyslogHost> 
<SyslogPort>1468</SyslogPort> 

--> 


<!--Specify protocol to be used (UDP/TCP/SSL) --> 
<l-- 

<SyslogProtocol>TCP</SyslogProtocol> 

--> 


<!--Specify SSL keystore file for SSL connection. 

~ File path should be given with double backslash. 

--> 

Faa 
<SyslogSSLKeystoreFile>/opt/netiq/idm/jre/lib/security/cacerts</ 
SyslogSSLKeystoreFile> 

--> 


<!--Specify SSL keystore password for SSL connection. --> 

<!-- 
<SyslogSSLKeystorePassword>password</SyslogSSLKeystorePassword> 
--> 


<!--Specify whether to append the component name before the event message 

~ Inputs should be yes/no 

~ If NetIQ Sentinel is the event listener, this option should be set to 'yes' 
--> 

<l-- 

<AppendComponentName>yes</AppendComponentName> 

--> 


<!--Defines caching for SyslogAppender. 
~ Inputs should be yes/no 

22> 

<l-- 

<CacheEnabled>yes</CacheEnabled> 

--> 


<!--Cache location Directory 

~ Directory should be available for creating cache files 

~ Directory should have 'novlua' permission for caching to work correctly 
--> 

<l-- 

<CacheDir>/tmp/IDMcache</CacheDir> 

--> 


<!--Cache File Size 

~ Cache File size should be in the range of 50MB to 4000MB 
--> 

<l-- 

<CacheRolloverSize>50</CacheRolloverSize> 

--> 


<!--Log file for appender 
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~ The directory containing the file specified should have 'novlua' permission to 
work correctly. 

--> 

<!-- 

<FileAppenderFileName>/var/opt/netiq/idm/dcs-cache/cef-events.log</ 
FileAppenderFileName> 

--> 


<!--Max size of log file for file appender --> 
<!-- 
<FileMaxRolloverSize>50</FileMaxRolloverSize> 
--> 


</logging> 
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